From patchwork Wed Oct 25 03:24:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 830084 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yMFrS5Cb9z9sPk for ; Wed, 25 Oct 2017 14:25:11 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id C6965886F6; Wed, 25 Oct 2017 03:25:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YwDsK-SQNTE7; Wed, 25 Oct 2017 03:25:06 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 1FB9488581; Wed, 25 Oct 2017 03:25:06 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id A71271C3EC3 for ; Wed, 25 Oct 2017 03:25:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9D94D889CA for ; Wed, 25 Oct 2017 03:25:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8fwrRgqttOKE for ; Wed, 25 Oct 2017 03:25:03 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from da1vs04.rockwellcollins.com (da1vs04.rockwellcollins.com [205.175.227.52]) by hemlock.osuosl.org (Postfix) with ESMTPS id 3DB298899A for ; Wed, 25 Oct 2017 03:25:03 +0000 (UTC) Received: from ofwda1n02.rockwellcollins.com (HELO ciulimr02.rockwellcollins.com) ([205.175.227.14]) by da1vs04.rockwellcollins.com with ESMTP; 24 Oct 2017 22:25:02 -0500 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by ciulimr02.rockwellcollins.com (Postfix) with ESMTP id 0AAFC20070; Tue, 24 Oct 2017 22:25:02 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Tue, 24 Oct 2017 22:24:59 -0500 Message-Id: <1508901900-11190-1-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 Subject: [Buildroot] [PATCH 1/2] stack protector: moved option to security menu X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Signed-off-by: Matthew Weber --- Config.in | 114 ++++++++++++++++++++++++++++++++------------------------------ 1 file changed, 59 insertions(+), 55 deletions(-) diff --git a/Config.in b/Config.in index 814dc02..f3c9dcd 100644 --- a/Config.in +++ b/Config.in @@ -566,61 +566,6 @@ config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES endif choice - bool "build code with Stack Smashing Protection" - default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy - depends on BR2_TOOLCHAIN_HAS_SSP - help - Enable stack smashing protection support using GCC's - -fstack-protector option family. - - See - http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt - for details. - - Note that this requires the toolchain to have SSP support. - This is always the case for glibc and eglibc toolchain, but is - optional in uClibc toolchains. - -config BR2_SSP_NONE - bool "None" - help - Disable stack-smashing protection. - -config BR2_SSP_REGULAR - bool "-fstack-protector" - help - Emit extra code to check for buffer overflows, such as stack - smashing attacks. This is done by adding a guard variable to - functions with vulnerable objects. This includes functions - that call alloca, and functions with buffers larger than 8 - bytes. The guards are initialized when a function is entered - and then checked when the function exits. If a guard check - fails, an error message is printed and the program exits. - -config BR2_SSP_STRONG - bool "-fstack-protector-strong" - depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 - help - Like -fstack-protector but includes additional functions to be - protected - those that have local array definitions, or have - references to local frame addresses. - -comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9" - depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 - -config BR2_SSP_ALL - bool "-fstack-protector-all" - help - Like -fstack-protector except that all functions are - protected. This option might have a significant performance - impact on the compiled binaries. - -endchoice - -comment "Stack Smashing Protection needs a toolchain w/ SSP" - depends on !BR2_TOOLCHAIN_HAS_SSP - -choice bool "libraries" default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED @@ -728,6 +673,65 @@ config BR2_REPRODUCIBLE endmenu +menu "Security Hardening Options" + +choice + bool "build code with Stack Smashing Protection" + default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy + depends on BR2_TOOLCHAIN_HAS_SSP + help + Enable stack smashing protection support using GCC's + -fstack-protector option family. + + See + http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt + for details. + + Note that this requires the toolchain to have SSP support. + This is always the case for glibc and eglibc toolchain, but is + optional in uClibc toolchains. + +config BR2_SSP_NONE + bool "None" + help + Disable stack-smashing protection. + +config BR2_SSP_REGULAR + bool "-fstack-protector" + help + Emit extra code to check for buffer overflows, such as stack + smashing attacks. This is done by adding a guard variable to + functions with vulnerable objects. This includes functions + that call alloca, and functions with buffers larger than 8 + bytes. The guards are initialized when a function is entered + and then checked when the function exits. If a guard check + fails, an error message is printed and the program exits. + +config BR2_SSP_STRONG + bool "-fstack-protector-strong" + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 + help + Like -fstack-protector but includes additional functions to be + protected - those that have local array definitions, or have + references to local frame addresses. + +comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9" + depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 + +config BR2_SSP_ALL + bool "-fstack-protector-all" + help + Like -fstack-protector except that all functions are + protected. This option might have a significant performance + impact on the compiled binaries. + +endchoice + +comment "Stack Smashing Protection needs a toolchain w/ SSP" + depends on !BR2_TOOLCHAIN_HAS_SSP + +endmenu + endmenu source "toolchain/Config.in" From patchwork Wed Oct 25 03:25:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 830085 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yMFrY0jLrz9sPk for ; Wed, 25 Oct 2017 14:25:16 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 5F0B489A55; Wed, 25 Oct 2017 03:25:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkMn3CsdTpOA; Wed, 25 Oct 2017 03:25:10 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 02D0089A4C; Wed, 25 Oct 2017 03:25:10 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 6DBE71C3EC3 for ; Wed, 25 Oct 2017 03:25:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 67912889CA for ; Wed, 25 Oct 2017 03:25:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3ZLFZhdOhAx for ; Wed, 25 Oct 2017 03:25:05 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ch3vs04.rockwellcollins.com (ch3vs04.rockwellcollins.com [205.175.226.52]) by hemlock.osuosl.org (Postfix) with ESMTPS id 4B10A8899A for ; Wed, 25 Oct 2017 03:25:05 +0000 (UTC) Received: from ofwch3n02.rockwellcollins.com (HELO ciulimr02.rockwellcollins.com) ([205.175.226.14]) by ch3vs04.rockwellcollins.com with ESMTP; 24 Oct 2017 22:25:05 -0500 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by ciulimr02.rockwellcollins.com (Postfix) with ESMTP id 3E60820070; Tue, 24 Oct 2017 22:25:04 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Tue, 24 Oct 2017 22:25:00 -0500 Message-Id: <1508901900-11190-2-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1508901900-11190-1-git-send-email-matthew.weber@rockwellcollins.com> References: <1508901900-11190-1-git-send-email-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 2/2] security hardening: add RELFO, FORTIFY options X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This enables a user to build a complete system using these options. It is important to note that not all packages will build correctly to start with. Additional initial patches which update linker ordering changes, etc will be upstreamed and then submitted to buildroot as a patch or bump. A good testing tool to check a target's elf files for compliance to an array of hardening techniques can be found here: https://github.com/slimm609/checksec.sh Signed-off-by: Matthew Weber --- Config.in | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++ package/Makefile.in | 25 +++++++++++++++++++++++ 2 files changed, 83 insertions(+) diff --git a/Config.in b/Config.in index f3c9dcd..4129e85 100644 --- a/Config.in +++ b/Config.in @@ -730,6 +730,64 @@ endchoice comment "Stack Smashing Protection needs a toolchain w/ SSP" depends on !BR2_TOOLCHAIN_HAS_SSP +choice + bool "RELRO protection" + help + Enable a link-time protection know as RELRO (RELocation Read Only) + which helps to protect from certain type of exploitation techniques + altering the content of some ELF sections. + +config BR2_RELRO_NONE + bool "None" + help + Enables Relocation link-time protections. + +config BR2_RELRO_PARTIAL + bool "Partial" + help + This option makes the dynamic section not writeable after + initialization (with almost no performance penalty). + +config BR2_RELRO_FULL + bool "Full" + help + This option includes the partial configuration, but also + marks the GOT as read-only at the cost of initialization time + during program loading, i.e every time an executable is started. + +endchoice + +choice + bool "Buffer-overflow detection (FORTIFY_SOURCE)" + help + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard library + functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, + strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, + gets. + +config BR2_FORTIFY_SOURCE_NONE + bool "None" + help + Enables additional checks to detect buffer-overflows. + +config BR2_FORTIFY_SOURCE_1 + bool "Conservative" + help + This option sets _FORTIFY_SOURCE set to 1 and only introduces + checks that shouldn't change the behavior of conforming programs. + Adds checks at compile-time only. + +config BR2_FORTIFY_SOURCE_2 + bool "Aggressive" + help + This option sets _FORTIFY_SOURCES set to 2 and some more checking + is added, but some conforming programs might fail. + Also adds checks at run-time (detected buffer overflow terminates + the program) + +endchoice + endmenu endmenu diff --git a/package/Makefile.in b/package/Makefile.in index a1a5316..c99361f 100644 --- a/package/Makefile.in +++ b/package/Makefile.in @@ -144,6 +144,9 @@ TARGET_CXXFLAGS = $(TARGET_CFLAGS) TARGET_FCFLAGS = $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING) TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS)) +TARGET_CFLAGS_RELRO = -Wl,-z,relro +TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO) + ifeq ($(BR2_BINFMT_FLAT),y) TARGET_CFLAGS += $(if $($(PKG)_FLAT_STACKSIZE),-Wl$(comma)-elf2flt=-s$($(PKG)_FLAT_STACKSIZE),\ -Wl$(comma)-elf2flt) @@ -181,6 +184,28 @@ TARGET_CXXFLAGS += -fstack-protector-all TARGET_FCFLAGS += -fstack-protector-all endif +ifeq ($(BR2_RELRO_PARTIAL),y) +TARGET_CFLAGS += $(TARGET_CFLAGS_RELRO) +TARGET_CXXFLAGS += $(TARGET_CFLAGS_RELRO) +TARGET_FCFLAGS += $(TARGET_CFLAGS_RELRO) +TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO) +else ifeq ($(BR2_RELRO_FULL),y) +TARGET_CFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL) +TARGET_CXXFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL) +TARGET_FCFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL) +TARGET_LDFLAGS += -pie +endif + +ifeq ($(BR2_FORTIFY_SOURCE_1),y) +TARGET_CFLAGS += -D_FORTIFY_SOURCE=1 +TARGET_CXXFLAGS += -D_FORTIFY_SOURCE=1 +TARGET_FCFLAGS += -D_FORTIFY_SOURCE=1 +else ifeq ($(BR2_FORTIFY_SOURCE_2),y) +TARGET_CFLAGS += -D_FORTIFY_SOURCE=2 +TARGET_CXXFLAGS += -D_FORTIFY_SOURCE=2 +TARGET_FCFLAGS += -D_FORTIFY_SOURCE=2 +endif + ifeq ($(BR2_TOOLCHAIN_BUILDROOT),y) TARGET_CROSS = $(HOST_DIR)/bin/$(GNU_TARGET_NAME)- else